The term “GDPR” has become somewhat of a household name over the past year, with many fearing its effects and a good number of people not understanding its implications. The Maltese Data Protection Act was amended in April 2018 to reflect the changes brought about by the General Data Protection Regulation (GDPR) which came into effect on the 25th May 2018. The GDPR’s regulatory scope is far wider than the original Data Protection Act (DPA).
The previous version of the DPA used to apply solely to processing of personal data carried out in the context of the activities of an establishment of a controller in Malta, or when the equipment used for processing personal data is situated in Malta but the controller is established in a third country. Article 4(2) of the revised DPA extends the scope to include the processing of personal data of data subjects who are in Malta, by a controller or processor not established in the European Union, where the processing activities are related to: (1) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in Malta; or (2) the monitoring of their behaviour in so far as their behaviour takes place within Malta.
Another amendment found in the revised DPA is the obligation of a controller to gain authorisation from the Information and Data Protection Commissioner should the controller intend to process (in the public interest):
(a) genetic data, biometric data or data concerning health for statistical or research purposes; or
(b) special categories of data in relation to the management of social care services and systems, including for the purposes of quality control, management information and the general national supervision and monitoring of such services and systems.
The EU, in the regulations held within the GDPR, allows its member states to legislate freely on how they choose to process National Identification Numbers. The 2018 DPA provides for this in Article 8 and states that an identity document may only be processed when such processing is clearly justified by having regard to the purpose of the processing and: (a) the importance of a secure identification; or (b) any other valid reason as may be provided by law. The Regulation further reiterates the point that these national identifiers must only be used under appropriate safeguards for the rights and freedoms of the data subject pursuant to the Regulation.
The revised DPA also makes provisions for the processing of personal data relating to the purpose of exercising the right to freedom of expression and information, including provisions for the processing of data for journalistic purposes or for the purposes of academic, artistic or literary expression, wherein these shall be exempt from compliance with select provisions of the GDPR. These exemptions only apply in cases where in reconciling the right to protection of personal data and the right to freedom of expression, the controller has ensured that the processing is proportionate, necessary and justified for reasons of public interest.
Part IV of the revised DPA refers to transborder data transfers and their regulation. It states that in the absence of an adequacy decision as defined within the Act, the Minister responsible for data protection may, following consultation with the Commissioner, issue regulations to set limits to the transfer of specific categories of personal data to a third country or to an international organisation for important reasons of public interest.
Aside from the inclusion of the ability of the Commissioner to be able to impose the administrative fines held within the GDPR, the Bill also makes provision for fines in the case of people furnishing the Commissioner with false information or in the case of non-compliance with any lawful request made by the Commissioner. Any individual found guilty of these offences would be liable to a fine of not less than €1,250 up to €50,000 or to imprisonment for 6 months or to both such fine and imprisonment.
The new Act also refers to the concept of moral damages which was not present before. A data subject who has been aggrieved may file an application in court to exercise an action for damages against the controller. Furthermore, the GDPR provides for situations where any person who, due to an infringement of the Regulation, suffers material or non-material damages, has the right to receive compensation from the controller or processor, as the case may be, for such damage caused.
There are also other aspects of the GDPR that have, as yet, not been reflected in the Maltese Act, although the Act does provide that the Minister responsible for data protection may enact further Regulations should this be necessary. Some such situations are the establishment of an age of consent lower than 16 years, or the creation of any special rules relating to Data Protection Officers or the employment sector.
For more information on Data Protection and how the legal implications and requirements of the GDPR can impact your business, please contact Dr Michele Tufigno on email@example.com and Dr Emma Portelli Bonnici on firstname.lastname@example.org
Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.